Top whistleblower software for EU Directive 2019/1937 compliance #
EU Directive 2019/1937 requires every organization with 50 or more employees to operate a secure internal reporting channel. The Directive is specific about what that channel must do: accept written and oral reports, protect reporter confidentiality, acknowledge receipt within 7 days, provide feedback within 3 months, and maintain records without exposing the reporter’s identity.
Here is what is strange about this market: whistleblower reporting is a simple tool. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and keeps an audit trail. That is the entire product.
Yet most vendors hide their pricing behind “contact us for a demo” forms, require weeks-long sales processes, and pad their feature lists with AI-powered analytics, sentiment analysis, and other additions that have nothing to do with what the Directive actually requires. The result is that a compliance officer at a 100-person company ends up on a sales call for a tool that should take ten minutes to set up.
This article ranks the top whistleblower software specifically by how well each platform meets the Directive’s legal requirements — not by brand recognition, AI feature count, or how impressive the sales deck looks.
How we scored #
Every platform was evaluated against the six core requirements of Directive 2019/1937:
| Requirement | Directive articles | What the law demands |
|---|---|---|
| Secure reporting channel | Art. 8 | Encrypted, accessible to all workers, no account required |
| Reporter confidentiality | Art. 16 | Identity not disclosed without consent, access restricted to authorized staff |
| Receipt acknowledgment | Art. 9(1)(b) | Written confirmation within 7 days |
| Feedback deadline | Art. 9(1)(f) | Substantive feedback within 3 months |
| Two-way communication | Art. 9(1)(b) | Ability to communicate with the reporter, including anonymous reporters |
| Record-keeping | Art. 18 | Reports stored securely, retained per legal requirements, deletable when no longer needed |
We also considered practical factors: pricing transparency, EU data residency, setup speed, and whether the platform requires a sales call to get started.
The ranking #
1. EthicsPortal — best for SMEs that need fast, affordable compliance #
Directive coverage: complete. EthicsPortal was built specifically for EU Directive 2019/1937. Every feature maps to an article.
| Directive requirement | How EthicsPortal handles it |
|---|---|
| Secure channel (Art. 8) | Encrypted web portal, unique URL per organization, no app required |
| Confidentiality (Art. 16) | No IP logging, file metadata stripping (EXIF, GPS, author), encrypted data at rest |
| 7-day acknowledgment (Art. 9) | Automatic deadline tracking with handler notifications |
| 3-month feedback (Art. 9) | Automatic deadline tracking with overdue alerts |
| Two-way communication (Art. 9) | Anonymous message thread via access code — handler names never revealed |
| Record-keeping (Art. 18) | Immutable audit trail, PDF export for auditors |
Pricing: €49/month flat. No per-employee fees, no add-ons. EU hosting: Yes — Hetzner, Nuremberg, Germany. Setup time: Minutes. Self-serve signup, no sales call.
Why it ranks first: Whistleblower reporting is not a complex problem. The Directive tells you exactly what the tool needs to do, and EthicsPortal does exactly that — nothing more, nothing less. No AI sentiment analysis, no “risk scoring,” no features that exist to justify a higher price tag. Full Art. 8–18 compliance at €49/month, visible on the website, no sales call required.
The trade-off is that EthicsPortal is newer and does not yet have ISO 27001 certification or phone hotline services.
EthicsPortal is our product. We designed it to deliver full Directive compliance with transparent pricing and immediate deployment.
2. Formalize (WhistleblowerSoftware.com) — best for mid-market companies wanting a polished product #
Directive coverage: complete. Built in Denmark with the EU Directive as the primary design driver.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — web portal with encryption |
| Confidentiality (Art. 16) | Yes — access controls, data encryption |
| 7-day acknowledgment (Art. 9) | Yes — automated tracking |
| 3-month feedback (Art. 9) | Yes — automated tracking |
| Two-way communication (Art. 9) | Yes — anonymous messaging |
| Record-keeping (Art. 18) | Yes — audit trail |
Pricing: Custom quote required. Previously published per-employee pricing; no longer public. EU hosting: Yes — Denmark. Setup time: Days — involves a demo/sales process.
Why it ranks here: Strong Directive compliance, ISO 27001 and ISAE 3000 certified, #1 on G2 (4.9/5, 157 reviews), 80+ languages. Formalize used to publish pricing on their website — they no longer do, which tells you something about the direction they are heading. You now need to request a quote and go through a sales process to learn what it costs. If you need certifications and a partner ecosystem (PwC, Baker McKenzie), Formalize is a strong choice — but be prepared to negotiate pricing you cannot see upfront.
3. Hintbox — best for German-speaking markets #
Directive coverage: complete. German platform with 1,000+ customers. Part of the lawcode suite.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — encrypted portal, hosted on Hetzner (Germany) |
| Confidentiality (Art. 16) | Yes — metadata stripping, 2FA, virus scanning |
| 7-day acknowledgment (Art. 9) | Yes — deadline tracking |
| 3-month feedback (Art. 9) | Yes — deadline tracking |
| Two-way communication (Art. 9) | Yes — anonymous messaging, optional voice bot (+€49/mo) |
| Record-keeping (Art. 18) | Yes — audit trail |
Pricing: Starting at €49/month. Scales to €149+/month with employee count. Add-ons: voice bot (+€49/mo), email integration (+€29/mo), custom domain (+€29/mo). EU hosting: Yes — Hetzner, Germany. ISO 27001 certified. Setup time: Days.
Why it ranks here: Mature product, large customer base (Rewe, s.Oliver, FC Bayern), ISO 27001 certified. The per-employee pricing and add-on costs mean the effective price is significantly higher than the €49 starting point for most organizations. DACH-focused — limited presence outside German-speaking markets.
4. FaceUp — best free option for small organizations #
Directive coverage: partial at free tier, complete at paid tiers.
| Directive requirement | Free tier | Paid tier |
|---|---|---|
| Secure channel (Art. 8) | Yes | Yes |
| Confidentiality (Art. 16) | Basic | Yes — advanced access controls |
| 7-day acknowledgment (Art. 9) | Manual | Yes — automated |
| 3-month feedback (Art. 9) | Manual | Yes — automated |
| Two-way communication (Art. 9) | Yes | Yes |
| Record-keeping (Art. 18) | Basic | Yes — full audit trail |
Pricing: Free for up to 50 employees. Paid plans start around €50/month, scaling with users. EU hosting: Yes — Czech Republic. Setup time: Hours.
Why it ranks here: The free tier is a genuine option for very small organizations, but it lacks automated deadline tracking and advanced case management — features that the Directive implicitly requires for diligent follow-up (Art. 9(1)(c)). Originally built for schools, which shows in some UX decisions. Good entry point; may require upgrading as compliance requirements are scrutinized.
5. Whistlelink — best for Nordic companies #
Directive coverage: complete.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes |
| Confidentiality (Art. 16) | Yes |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes |
Pricing: Starting around €99/month (starter tier). Enterprise pricing via sales. EU hosting: Yes — Sweden. Setup time: Days.
Why it ranks here: Solid Directive compliance with 35+ languages and good case management. Pricing is 2x the cheapest options without corresponding feature advantages for most SMEs. Strong regional presence in the Nordics.
6. SpeakUp (People Intouch) — best for outsourced case handling #
Directive coverage: complete. One of the longest-running European whistleblower platforms (Netherlands).
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — web + phone reporting |
| Confidentiality (Art. 16) | Yes |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes |
Pricing: Starting at ~€3,000/year for companies under 1,000 employees. Custom for larger. EU hosting: Yes — Netherlands. Setup time: Days.
Why it ranks here: Unique value proposition: outsourced case handling by trained professionals. If your organization does not have internal resources to manage reports, SpeakUp handles it for you. The trade-off is price — you are paying for human operators, not just software.
7. EQS Integrity Line — best for large enterprises #
Directive coverage: complete. The European enterprise standard.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — 70+ languages |
| Confidentiality (Art. 16) | Yes — enterprise-grade access controls |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes — integrates with GRC suites |
Pricing: Not published. Estimated €2,000+/month. Requires sales process. EU hosting: Yes. Setup time: Weeks.
Why it ranks here: If you are a bank, insurer, or listed company with 5,000+ employees, EQS is the safe enterprise choice. For everyone else, you are paying for features and scale you do not need. Implementation takes weeks, not minutes.
8. NAVEX Global — best for US multinationals with EU operations #
Directive coverage: complete, but EU compliance feels bolted on.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — web + phone hotline |
| Confidentiality (Art. 16) | Yes |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes — strong analytics |
Pricing: Custom. Typically €5,000+/year. Requires sales process. EU hosting: Available as an option, not default. Setup time: Weeks.
Why it ranks here: NAVEX is the dominant US compliance platform with decades of history and thousands of clients. Their EthicsPoint product covers the Directive, but the platform was designed for US regulatory frameworks first. EU hosting is available but not the default. Enterprise pricing and long implementation cycles put it out of reach for SMEs.
Which platform should you choose? #
| Your situation | Best choice |
|---|---|
| SME or startup, need compliance fast, budget-conscious | EthicsPortal (€49/mo, minutes to set up) |
| Mid-market, want certifications and partner ecosystem | Formalize (custom pricing, ISO certified) |
| German-speaking market, need ISO 27001 | Hintbox (€49+/mo, ISO 27001) |
| Under 50 employees, need free option | FaceUp (free tier) |
| Nordic company, prefer regional vendor | Whistlelink (€99+/mo) |
| Need outsourced case handling | SpeakUp (~€3,000/yr) |
| Large enterprise (500+ employees), full GRC suite | EQS Integrity Line (custom pricing) |
| US multinational with EU subsidiary | NAVEX Global (custom pricing) |
Why most platforms are overpriced for what they do #
Every platform on this list covers the core requirements of Directive 2019/1937. That is worth repeating: the basic compliance functionality is the same across all of them. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and logs an audit trail.
The price difference between €49/month and €5,000+/year is not explained by the Directive’s requirements. It is explained by sales teams, enterprise packaging, AI features that no compliance officer asked for, and the assumption that “compliance software” can be priced like enterprise SaaS.
Six of the eight platforms on this list do not publish their pricing. You have to fill out a form, get on a call, sit through a demo, and then — maybe — receive a quote. For a tool that does what a spreadsheet could do (badly), this is absurd.
If you are evaluating platforms, focus on three things:
- Does it cover Art. 8–18? All platforms above do, at their paid tiers.
- Is data hosted in the EU? Non-negotiable for GDPR and Directive compliance.
- Can you see the price and sign up today? If a vendor will not show you the price, ask yourself what they are optimizing for.
No whistleblower platform can make your organization compliant by itself. Compliance also requires internal policies, designated handlers, training, and documented procedures. The software is the reporting channel — one piece of a larger compliance framework. It should not be the most expensive or time-consuming piece.
For a detailed article-by-article breakdown of how EthicsPortal meets each requirement, see our compliance page.